diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-03-24 20:07:42 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-03-24 20:07:42 +0100 |
| commit | 7f8aa67131cfc03ddcbd31c0420754864fc122f0 (patch) | |
| tree | 656e59465be5daa450fa4d34dcf2cc3bf298bf93 /src/core | |
| parent | 1cfc57e8847ab2b138e5a8fcff4f881b3b1a9b60 (diff) | |
core: remove tcpwrap support
tcpwrap is legacy code, that is barely maintained upstream. It's APIs
are awful, and the feature set it exposes (such as DNS and IDENT
access control) questionnable. We should not support this natively in
systemd.
Hence, let's remove the code. If people want to continue making use of
this, they can do so by plugging in "tcpd" for the processes they start.
With that scheme things are as well or badly supported as they were from
traditional inetd, hence no functionality is really lost.
Diffstat (limited to 'src/core')
| -rw-r--r-- | src/core/build.h | 8 | ||||
| -rw-r--r-- | src/core/dbus-execute.c | 1 | ||||
| -rw-r--r-- | src/core/execute.c | 26 | ||||
| -rw-r--r-- | src/core/execute.h | 2 | ||||
| -rw-r--r-- | src/core/load-fragment-gperf.gperf.m4 | 3 | ||||
| -rw-r--r-- | src/core/load-fragment.c | 4 | ||||
| -rw-r--r-- | src/core/tcpwrap.c | 68 | ||||
| -rw-r--r-- | src/core/tcpwrap.h | 26 |
8 files changed, 3 insertions, 135 deletions
diff --git a/src/core/build.h b/src/core/build.h index 3d7cd3ea39..f6faf06ae8 100644 --- a/src/core/build.h +++ b/src/core/build.h @@ -27,12 +27,6 @@ #define _PAM_FEATURE_ "-PAM" #endif -#ifdef HAVE_LIBWRAP -#define _LIBWRAP_FEATURE_ "+LIBWRAP" -#else -#define _LIBWRAP_FEATURE_ "-LIBWRAP" -#endif - #ifdef HAVE_AUDIT #define _AUDIT_FEATURE_ "+AUDIT" #else @@ -93,4 +87,4 @@ #define _SECCOMP_FEATURE_ "-SECCOMP" #endif -#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _LIBWRAP_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ " " _GCRYPT_FEATURE_ " " _ACL_FEATURE_ " " _XZ_FEATURE_ " " _SECCOMP_FEATURE_ " " _APPARMOR_FEATURE_ +#define SYSTEMD_FEATURES _PAM_FEATURE_ " " _AUDIT_FEATURE_ " " _SELINUX_FEATURE_ " " _IMA_FEATURE_ " " _SYSVINIT_FEATURE_ " " _LIBCRYPTSETUP_FEATURE_ " " _GCRYPT_FEATURE_ " " _ACL_FEATURE_ " " _XZ_FEATURE_ " " _SECCOMP_FEATURE_ " " _APPARMOR_FEATURE_ diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index bf4a682d3a..13b3d0dd14 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -618,7 +618,6 @@ const sd_bus_vtable bus_exec_vtable[] = { SD_BUS_PROPERTY("User", "s", NULL, offsetof(ExecContext, user), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("Group", "s", NULL, offsetof(ExecContext, group), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("SupplementaryGroups", "as", NULL, offsetof(ExecContext, supplementary_groups), SD_BUS_VTABLE_PROPERTY_CONST), - SD_BUS_PROPERTY("TCPWrapName", "s", NULL, offsetof(ExecContext, tcpwrap_name), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("PAMName", "s", NULL, offsetof(ExecContext, pam_name), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("ReadWriteDirectories", "as", NULL, offsetof(ExecContext, read_write_dirs), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("ReadOnlyDirectories", "as", NULL, offsetof(ExecContext, read_only_dirs), SD_BUS_VTABLE_PROPERTY_CONST), diff --git a/src/core/execute.c b/src/core/execute.c index 353f2d1297..4a3aeda3cd 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -69,7 +69,6 @@ #include "ioprio.h" #include "securebits.h" #include "namespace.h" -#include "tcpwrap.h" #include "exit-status.h" #include "missing.h" #include "utmp-wtmp.h" @@ -1362,23 +1361,6 @@ int exec_spawn(ExecCommand *command, goto fail_child; } - if (context->tcpwrap_name) { - if (socket_fd >= 0) - if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) { - err = -EACCES; - r = EXIT_TCPWRAP; - goto fail_child; - } - - for (i = 0; i < (int) n_fds; i++) { - if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) { - err = -EACCES; - r = EXIT_TCPWRAP; - goto fail_child; - } - } - } - exec_context_tty_reset(context); if (confirm_spawn) { @@ -1878,9 +1860,6 @@ void exec_context_done(ExecContext *c) { free(c->tty_path); c->tty_path = NULL; - free(c->tcpwrap_name); - c->tcpwrap_name = NULL; - free(c->syslog_identifier); c->syslog_identifier = NULL; @@ -2148,11 +2127,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { STRV_FOREACH(e, c->environment_files) fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e); - if (c->tcpwrap_name) - fprintf(f, - "%sTCPWrapName: %s\n", - prefix, c->tcpwrap_name); - if (c->nice_set) fprintf(f, "%sNice: %i\n", diff --git a/src/core/execute.h b/src/core/execute.h index 9fcea121fa..c9e29ffc8a 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -113,8 +113,6 @@ struct ExecContext { nsec_t timer_slack_nsec; - char *tcpwrap_name; - char *tty_path; bool tty_reset; diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index 3a77234e97..dbb5d13b76 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -84,9 +84,6 @@ $1.MountFlags, config_parse_exec_mount_flags, 0, $1.Personality, config_parse_personality, 0, offsetof($1, exec_context.personality) $1.RuntimeDirectoryMode, config_parse_mode, 0, offsetof($1, exec_context.runtime_directory_mode) $1.RuntimeDirectory, config_parse_runtime_directory, 0, offsetof($1, exec_context.runtime_directory) -m4_ifdef(`HAVE_LIBWRAP', -`$1.TCPWrapName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.tcpwrap_name)', -`$1.TCPWrapName, config_parse_warn_compat, 0, 0') m4_ifdef(`HAVE_PAM', `$1.PAMName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.pam_name)', `$1.PAMName, config_parse_warn_compat, 0, 0') diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index e7779d1625..c604f9096d 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -64,7 +64,7 @@ #include "seccomp-util.h" #endif -#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR) +#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR) int config_parse_warn_compat( const char *unit, const char *filename, @@ -3328,7 +3328,7 @@ void unit_dump_config_items(FILE *f) { const ConfigParserCallback callback; const char *rvalue; } table[] = { -#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR) +#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR) { config_parse_warn_compat, "NOTSUPPORTED" }, #endif { config_parse_int, "INTEGER" }, diff --git a/src/core/tcpwrap.c b/src/core/tcpwrap.c deleted file mode 100644 index 6c630fac60..0000000000 --- a/src/core/tcpwrap.c +++ /dev/null @@ -1,68 +0,0 @@ -/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ - -/*** - This file is part of systemd. - - Copyright 2010 Lennart Poettering - - systemd is free software; you can redistribute it and/or modify it - under the terms of the GNU Lesser General Public License as published by - the Free Software Foundation; either version 2.1 of the License, or - (at your option) any later version. - - systemd is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public License - along with systemd; If not, see <http://www.gnu.org/licenses/>. -***/ - -#include <sys/socket.h> -#include <sys/un.h> -#include <arpa/inet.h> -#include <netinet/in.h> - -#ifdef HAVE_LIBWRAP -#include <tcpd.h> -#endif - -#include "tcpwrap.h" -#include "log.h" - -bool socket_tcpwrap(int fd, const char *name) { -#ifdef HAVE_LIBWRAP - struct request_info req; - union { - struct sockaddr sa; - struct sockaddr_in in; - struct sockaddr_in6 in6; - struct sockaddr_un un; - struct sockaddr_storage storage; - } sa_union; - socklen_t l = sizeof(sa_union); - - if (getsockname(fd, &sa_union.sa, &l) < 0) - return true; - - if (sa_union.sa.sa_family != AF_INET && - sa_union.sa.sa_family != AF_INET6) - return true; - - request_init(&req, - RQ_DAEMON, name, - RQ_FILE, fd, - NULL); - - fromhost(&req); - - if (!hosts_access(&req)) { - log_warning("Connection refused by tcpwrap."); - return false; - } - - log_debug("Connection accepted by tcpwrap."); -#endif - return true; -} diff --git a/src/core/tcpwrap.h b/src/core/tcpwrap.h deleted file mode 100644 index 3353b6596e..0000000000 --- a/src/core/tcpwrap.h +++ /dev/null @@ -1,26 +0,0 @@ -/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ - -#pragma once - -/*** - This file is part of systemd. - - Copyright 2010 Lennart Poettering - - systemd is free software; you can redistribute it and/or modify it - under the terms of the GNU Lesser General Public License as published by - the Free Software Foundation; either version 2.1 of the License, or - (at your option) any later version. - - systemd is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public License - along with systemd; If not, see <http://www.gnu.org/licenses/>. -***/ - -#include <stdbool.h> - -bool socket_tcpwrap(int fd, const char *name); |